Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 638 discussion

AWS Transfer Family (Option D) By configuring AWS Transfer Family SFTP endpoints, you can provide a secure and convenient way for employees to access and transfer data to and from the S3 bucket. Using custom identity provider options allows you to integrate with existing identity systems, and AWS Secrets Manager can be used to manage user credentials securely. A suggests using an AWS Lambda function to create an S3 presigned URL. While this can work, it involves manual generation of URLs and sharing them, which may not be as scalable or user-friendly. B suggests creating an IAM user for each employee with IAM policies for S3 access. This involves more operational overhead, as managing IAM users for each employee can be cumbersome and less scalable. C suggests using an S3 File Gateway. While this can work, it introduces additional components and may not be as straightforward or as efficient as using AWS Transfer Family for SFTP access.

Not A - S3 presigned URLs are temporary (max. 7 days); you'd need to create a new URL at least every 7 days and "instruct employees" to use it. Definitely NOT 'minimizing operational overhead'. Not B - "Instruct employees to use the AWS Management Console", using Management console to up- and download files is complex Not D - Secrets Manager is not for managing user credentials, and employees would not "use Transfer Family", they would use an (S)FTP client to access the files. C grants simple access for up/downloading, no operational overhead.

It is not operationally eficient to manage, for example, 1000 signed URLs or user credentials. In addition, it is sometimes dificult to instruct that many people. It's easier to create an S3 File Gateway and allow the users to mount it locally to access the bucket. It could be D if the answer said to use IAM roles instead of managing user credentials in Secrets Manager

but they didnt mention access in for daily use of occasional. If its occasional A works well but its permanant thing them mouting drive is solution.

i think is d

Less operational overheade is C https://docs.aws.amazon.com/filegateway/latest/files3/GettingStartedAccessFileShare.html on client pc is easily mounted. I remain with some doubts but i will go for C

i would go with A

D seems right

A. Use an AWS Lambda function to create an S3 presigned URL. This solution meets the requirements by providing a secure way for employees to access the data stored in the Amazon S3 bucket. Here's how it works: When an employee needs to access the data, they request access from the company's system. The company's system triggers an AWS Lambda function. The Lambda function generates a presigned URL with a limited validity period. The employee uses the presigned URL to access the data directly from the S3 bucket. Once the presigned URL expires, access to the data is no longer possible, enhancing security. This solution minimizes operational overhead because it leverages AWS Lambda, which is a fully managed service. There is no need to manage servers or infrastructure, and the solution provides a secure and temporary access mechanism for sharing data stored in Amazon S3.

I legitimately get worried every time we have a tie

Answer: *A* (Lambda + S3 pre-signed URL = automatic access) *You can use the pre-signed URL multiple times, up to the expiration date and time.* https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-presigned-url.html

Couldn't find any options that's good for the question. D is most operation efficient but not using AWS Secret Manager as managing credentials, should integrate with IAM or AD instead

Minimise op overhead: A: Lambdas and signed url will need to be managed and distributed to each employee every 7 days. So need database of employees and connect to lambda etc B: Too much work (imagine doing that for large number of employees!) D: Incomplete solution. SFTP endpoints need SFTP client and credential approach in Secrets Manager is not going to work

secure and stable connection

i would go with A, storing secret for each employ does not seem to me as minimizing operational overhead...

questions earlier can generate (lambda) presigned URL/cookies to customers who pay the subscription, or decouple image uploading from social media users. i dont see why Lambda+S3 presigned URL dont work with employees around the world here. Answer A.

it's A! This is the most efficient and secure way to share data with employees. It eliminates the need for employees to create their own AWS accounts or manage their own access credentials. It also provides a centralized way to manage the data, so the company can ensure that the data is always up-to-date and secure.